eapol_test

BuzzSaw Code buzzsaw.code at gmail.com
Fri Feb 21 17:33:30 UTC 2025 

I must be cursed - test install with the default site on a RHEL8 host,
FreeRADIUS 3.2.7 built from source, running eapol_test locally on the
server:

(0) Received Access-Request Id 0 from 127.0.0.1:58220 to
127.0.0.1:1812 length 134
Dropping packet without response because of error: Received packet
from 127.0.0.1 with invalid Message-Authenticator!  (Shared secret is
incorrect.) (from client localhost)

Using eapol_test -c test.conf -a 127.0.0.1 -stesting123
Reading configuration file 'test.conf'
Line: 1 - start of a new network block
key_mgmt: 0x1
identity - hexdump_ascii(len=10):
     6d 79 75 73 65 72 6e 61 6d 65                     myusername
proto: 0x2
eap methods - hexdump(len=16): 00 00 00 00 0d 00 00 00 00 00 00 00 00 00 00 00
ca_cert - hexdump_ascii(len=32):
     2f 65 74 63 2f 70 6b 69 2f 74 6c 73 2f 63 65 72   /etc/pki/tls/cer
     74 73 2f 63 61 2d 62 75 6e 64 6c 65 2e 63 72 74   ts/ca-bundle.crt
client_cert - hexdump_ascii(len=29):
     2f 65 74 63 2f 70 6b 69 2f 74 6c 73 2f 63 65 72   /etc/pki/tls/cer
     74 73 2f 73 65 72 76 65 72 2e 70 65 6d            ts/server.pem
private_key - hexdump_ascii(len=31):
     2f 65 74 63 2f 70 6b 69 2f 74 6c 73 2f 70 72 69   /etc/pki/tls/pri
     76 61 74 65 2f 73 65 72 76 65 72 2e 6b 65 79      vate/server.key
private_key_passwd - hexdump_ascii(len=5):
     38 30 32 31 78                                    8021x
Priority group 0
   id=0 ssid=''
Authentication server 127.0.0.1:1812
RADIUS local address: 127.0.0.1:54371
ENGINE: Loading builtin engines
ENGINE: Loading builtin engines
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
EAPOL: External notification - portValid=0
EAPOL: External notification - portEnabled=1
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: SUPP_BE entering state IDLE
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
Sending fake EAP-Request-Identity
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_PAE entering state RESTART
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
EAPOL: SUPP_PAE entering state AUTHENTICATING
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=48 method=1 vendor=0 vendorMethod=0
EAP: EAP entering state IDENTITY
CTRL-EVENT-EAP-STARTED EAP authentication started
EAP: Status notification: started (param=)
EAP: EAP-Request Identity data - hexdump_ascii(len=0):
EAP: using real identity - hexdump_ascii(len=10):
     6d 79 75 73 65 72 6e 61 6d 65                     myusername
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=15)
TX EAP -> RADIUS - hexdump(len=15): 02 30 00 0f 01 6d 79 75 73 65 72 6e 61 6d 65
Encapsulating EAP message into a RADIUS packet
Learned identity from EAP-Response-Identity - hexdump(len=10): 6d 79
75 73 65 72 6e 61 6d 65
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=0 length=134
   Attribute 80 (Message-Authenticator) length=18
      Value: 00000000000000000000000000000000
   Attribute 1 (User-Name) length=12
      Value: 'myusername'
   Attribute 4 (NAS-IP-Address) length=6
      Value: 127.0.0.1
   Attribute 31 (Calling-Station-Id) length=19
      Value: '02-00-00-00-00-01'
   Attribute 12 (Framed-MTU) length=6
      Value: 1400
   Attribute 61 (NAS-Port-Type) length=6
      Value: 19
   Attribute 6 (Service-Type) length=6
      Value: 2
   Attribute 77 (Connect-Info) length=24
      Value: 'CONNECT 11Mbps 802.11b'
   Attribute 79 (EAP-Message) length=17
      Value: 0230000f016d79757365726e616d65
RADIUS: Send 134 bytes to the server
Next RADIUS client retransmit in 3 seconds
EAPOL: SUPP_BE entering state RECEIVE
EAPOL: startWhen --> 0
STA 02:00:00:00:00:01: Resending RADIUS message (id=0)

RADIUS: Send 134 bytes to the server
Next RADIUS client retransmit in 6 seconds
STA 02:00:00:00:00:01: Resending RADIUS message (id=0)

RADIUS: Send 134 bytes to the server
Next RADIUS client retransmit in 12 seconds
STA 02:00:00:00:00:01: Resending RADIUS message (id=0)

RADIUS: Send 134 bytes to the server
Next RADIUS client retransmit in 24 seconds
EAPOL test timed out
EAPOL: EAP key not available
EAPOL: EAP Session-Id not available
WPA: Clear old PMK and PTK
MPPE keys OK: 0  mismatch: 1
FAILURE

This doesn't appear to be a FreeRADIUS issue as the shared secret
works just fine with radclient:

# echo "User-Name = somebody,User-Password = dontcare" | radclient -x
-s 127.0.0.1 auth testing123
Sent Access-Request Id 47 from 0.0.0.0:41624 to 127.0.0.1:1812 length 66
Message-Authenticator = 0x
User-Name = "somebody"
User-Password = "dontcare"
Cleartext-Password = "dontcare"
Received Access-Reject Id 47 from 127.0.0.1:1812 to 127.0.0.1:41624 length 38
Message-Authenticator = 0x10406f6c14a47ecf14b56f738188a885
(0) -: Expected Access-Accept got Access-Reject
Packet summary:
Accepted      : 0
Rejected      : 1
Lost          : 0
Passed filter : 0
Failed filter : 1

Tried with the eapol_client distributed with RHEL8 as well as once
built from the latest sources.

On Fri, Feb 21, 2025 at 11:06 AM Alan DeKok <aland at deployingradius.com> wrote:
>
> On Feb 21, 2025, at 10:52 AM, BuzzSaw Code <buzzsaw.code at gmail.com> wrote:
> >
> > Is eapol_test still the preferred way to test the various EAP methods
> > ?  Or is there a better tool for validating the FreeRADIUS
> > configuration that can be semi-automated ?
>
>   eapol_test is the best thing to use.
>
>   Sample configurations are in src/tests/eap*.conf
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list